CN111740883A

CN111740883A - Connection control method, system, device and electronic equipment

Info

Publication number: CN111740883A
Application number: CN202010849749.9A
Authority: CN
Inventors: 王滨; 刘松; 万里; 何承润; 倪俊伟; 林克章; 陈加栋; 王星; 王国云
Original assignee: Hangzhou Hikvision Digital Technology Co Ltd
Current assignee: Hangzhou Hikvision Digital Technology Co Ltd
Priority date: 2020-08-11
Filing date: 2020-08-21
Publication date: 2020-10-02
Anticipated expiration: 2040-08-21
Also published as: EP4199444A1; CN111740883B; WO2022033381A1; EP4199444A4

Abstract

The application provides a connection control method, a system, a device and an electronic device. In the application, the connection control information of the terminal equipment in the same network is detected through the detection equipment, and the network connection between the target terminal equipment to be subjected to the network connection control and the external management center network is blocked according to the detected connection control information of the terminal equipment, so that the connection control of the network connection between the terminal equipment and the external management center network is realized, and the safety of the external management center network is improved.

Description

Connection control method, system, device and electronic equipment

Technical Field

The present application relates to data security technologies, and in particular, to a connection control method, system, device, and electronic apparatus.

Background

Currently, in some application scenarios, a terminal device connected to a management center network in a terminal device network may be faked by a private connection. The terminal device can be a front-end device such as an entrance guard host, a camera, a video monitoring terminal device and the like. Taking the terminal device as a video monitoring terminal device as an example, the management center network herein may be a management center network for video monitoring management.

Once a terminal device which is privately connected and counterfeited is connected with the management center network, great risks are brought to the management center network, such as damage to a management device in the management center network.

Disclosure of Invention

The application provides a connection control method, a system, a device and an electronic device, which are used for performing connection control on network connection between a terminal device and an external management center network.

The application provides a connection control method, which is applied to detection equipment and comprises the following steps:

sending a detection packet to terminal equipment in the same network;

receiving a response packet returned by the terminal equipment in the same network aiming at the detection packet; the response packet carries terminal equipment information;

and determining corresponding terminal equipment connection control information according to the terminal equipment information carried by the response packet, and blocking network connection between target terminal equipment to be subjected to network connection control and an external management center network according to the terminal equipment connection control information.

Optionally, the sending the probe packet to the terminal device in the same network by using any one of the following manners includes:

sending a multicast detection packet to terminal equipment in the same network; all terminal devices in the same network belong to the multicast group corresponding to the multicast detection packet;

respectively sending unicast detection packets to each terminal device in the same network;

and sending the broadcast detection packet to each terminal device in the same network.

Optionally, the blocking the network connection between the target terminal device to be network connection controlled and the external management center network according to the terminal device connection control information includes:

sending terminal equipment connection control information to deployed connection control equipment to trigger the connection control equipment to determine target terminal equipment to be subjected to network connection control according to the terminal equipment connection control information and block network connection between the target terminal equipment and an external management center network.

Optionally, the determining, according to the terminal device information carried by the response packet, terminal device connection control information corresponding to the terminal device includes:

determining the terminal equipment information carried by the received response packet as corresponding terminal equipment connection control information; or,

and determining whether the terminal equipment corresponding to the terminal equipment information is the target terminal equipment to be subjected to network connection control or not according to the received terminal equipment information carried by the response packet, and determining indication information for indicating that the terminal equipment is the target terminal equipment to be subjected to network connection control as the corresponding terminal equipment connection control information when the terminal equipment corresponding to the terminal equipment information is the target terminal equipment to be subjected to network connection control.

Optionally, the terminal device information includes a parameter; the determining whether the terminal device corresponding to the terminal device information is the target terminal device to be subjected to network connection control according to the terminal device information carried by the received response packet includes: for each received response packet, when the terminal device information carried by the response packet is not in the configured terminal device information white list, determining that the terminal device corresponding to the terminal device information carried by the response packet is a target terminal device to be subjected to network connection control; or,

the terminal equipment information comprises more than two parameters, wherein one parameter is the IP address of the terminal equipment; the determining whether the terminal device corresponding to the terminal device information is the target terminal device to be subjected to network connection control according to the terminal device information carried by the received response packet includes:

for the terminal device information carried by each response packet,

when the reference terminal device information corresponding to the terminal device information is stored, if the terminal device information is different from at least one parameter in the reference terminal device information, or if the terminal device information is different from at least one parameter in the reference terminal device information and an IP address in the terminal device information is not in a configured IP white list, determining that the terminal device corresponding to the terminal device information is a target terminal device to be subjected to network connection control; the reference terminal device information includes the IP address; or,

and when the reference terminal device information is not stored, or when the reference terminal device information is not stored and the IP address is not in the configured IP white list, determining that the terminal device corresponding to the terminal device information is a target terminal device to be subjected to network connection control.

Optionally, the detection device is connected in series in the network and is located on a communication path where each terminal device in the network communicates with an external management center network; the blocking of the network connection between the target terminal device and the external management center network includes: and intercepting and discarding a data packet when the target terminal equipment communicates with the external management center network.

The embodiment of the application provides a connection control method, which is applied to connection control equipment and comprises the following steps:

acquiring terminal equipment connection control information corresponding to each terminal equipment in the same network with the detection equipment from the deployed detection equipment;

determining target terminal equipment to be subjected to network connection control according to the obtained terminal equipment connection control information;

and blocking the network connection between the target terminal equipment and the external management center network.

Optionally, the terminal device connection control information is indication information for indicating that the terminal device is a target terminal device to be network connection controlled; the determining a target terminal device to be subjected to network connection control according to the obtained terminal device connection control information includes: determining the terminal equipment indicated by the indication information as the target terminal equipment; or,

the terminal equipment connection control information is terminal equipment information which comprises a parameter; the determining a target terminal device to be subjected to network connection control according to the obtained terminal device connection control information includes: when the terminal equipment information is not in the configured terminal equipment information white list, determining the terminal equipment corresponding to the terminal equipment information as the target terminal equipment; or,

the terminal equipment connection control information is terminal equipment information which comprises more than two parameters, wherein one parameter is an IP address of the terminal equipment; the determining a target terminal device to be subjected to network connection control according to the obtained terminal device connection control information includes:

for each piece of terminal equipment information, when reference terminal equipment information corresponding to the terminal equipment information is not stored, or when the reference terminal equipment information is not stored and the IP in the terminal equipment information is not in a configured IP white list, determining the terminal equipment corresponding to the terminal equipment information as the target terminal equipment; the terminal device information is the same as the IP address in the reference terminal device information; or,

and for each piece of terminal equipment information, when reference terminal equipment information corresponding to the terminal equipment information is stored, if the terminal equipment information is different from at least one parameter in the reference terminal equipment information, or if the terminal equipment information is different from at least one parameter in the reference terminal equipment information and the IP in the terminal equipment information is not in a configured IP white list, determining the terminal equipment corresponding to the terminal equipment information as the target terminal equipment.

Optionally, the connection control device is hung by a core router, where the core router is a router connected between the network and an external management center network; the blocking of the network connection between the target terminal device and the external management center network includes: obtaining a data packet when the target terminal device communicates with the external management center network from the core router, generating a forged packet used for indicating that a target end of the data packet is inaccessible according to the data packet, and sending the forged packet to the core router so as to send the forged packet to a source end of the data packet through the core router, wherein the forged packet is used for interrupting network connection between the target terminal device and the external management center network; or,

the connection control equipment is connected in series with a communication path for communication between each terminal equipment in the network and an external management center network; the blocking of the network connection between the target terminal device and the external management center network includes: and intercepting and discarding a data packet when the target terminal equipment communicates with the external management center network.

The embodiment of the application provides a connection control system, which comprises a detection device and a connection control device;

the detection device is configured to perform the steps as performed by the first method;

the connection control device is adapted to perform the steps as performed by the second method.

The embodiment of the application provides a connection control device, and the device is applied to the detection equipment, includes:

a sending unit, configured to send a probe packet to terminal devices in the same network;

a receiving unit, configured to receive a response packet returned by a terminal device in the same network for the probe packet; the response packet carries terminal equipment information;

and the connection control unit is used for determining corresponding terminal equipment connection control information according to the terminal equipment information carried by the response packet, and blocking the network connection between the target terminal equipment to be subjected to network connection control and an external management center network according to the terminal equipment connection control information.

As an embodiment, the sending unit sending the probe packet to the terminal device in the same network by using any one of the following manners includes:

As an embodiment, the blocking, by the connection control unit, the network connection between the target terminal device to be network connection controlled and the external management center network according to the terminal device connection control information includes:

As an embodiment, the determining, by the connection control unit according to the terminal device information carried in the response packet, the terminal device connection control information corresponding to the terminal device includes:

Optionally, the terminal device information includes a parameter; as an embodiment, the determining, by the connection control unit, according to the terminal device information carried in the received response packet, whether the terminal device corresponding to the terminal device information is a target terminal device to be subjected to network connection control includes: for each received response packet, when the terminal device information carried by the response packet is not in the configured terminal device information white list, determining that the terminal device corresponding to the terminal device information carried by the response packet is a target terminal device to be subjected to network connection control; or,

for the terminal device information carried by each response packet,

when reference terminal equipment information corresponding to the terminal equipment information is stored, if the terminal equipment information is different from at least one parameter in the reference terminal equipment information, or if the terminal equipment information is different from at least one parameter in the reference terminal equipment information and an IP address in the terminal equipment information is not in a configured IP white list, determining the terminal equipment corresponding to the terminal equipment information as target terminal equipment to be subjected to network connection control; the reference terminal device information includes the IP address; or,

As an embodiment, the detection device is connected in series in the network and is located on a communication path where each terminal device in the network communicates with an external management center network; based on this, as one embodiment, the blocking, by the connection control unit, the network connection between the target terminal device and the external management center network includes: and intercepting and discarding a data packet when the target terminal equipment communicates with the external management center network.

An embodiment of the present application provides another connection control apparatus, including:

an obtaining unit, configured to obtain, from deployed probe devices, terminal device connection control information corresponding to each terminal device in the same network as the probe device;

a determining unit, configured to determine, according to the obtained terminal device connection control information, a target terminal device to be subjected to network connection control;

and the blocking unit is used for blocking the network connection between the target terminal equipment and the external management center network.

As an embodiment, the terminal device connection control information is indication information for indicating that the terminal device is a target terminal device to be network connection controlled; the determining unit determines a target terminal device to be subjected to network connection control according to the obtained terminal device connection control information, and includes: determining the terminal equipment indicated by the indication information as the target terminal equipment; or,

the terminal equipment connection control information is terminal equipment information which comprises a parameter; the determining unit determines a target terminal device to be subjected to network connection control according to the obtained terminal device connection control information, and includes: when the terminal equipment information is not in the configured terminal equipment information white list, determining the terminal equipment corresponding to the terminal equipment information as the target terminal equipment; or,

the terminal equipment connection control information is terminal equipment information which comprises more than two parameters, wherein one parameter is an IP address of the terminal equipment; the determining unit determines a target terminal device to be subjected to network connection control according to the obtained terminal device connection control information, and includes:

As an embodiment, the connection control device is hung on a core router, and the core router is a router connected between the network and an external management center network; the blocking unit blocking the network connection between the target terminal device and the external management center network includes: obtaining a data packet when the target terminal device communicates with the external management center network from the core router, generating a forged packet used for indicating that a target end of the data packet is inaccessible according to the data packet, and sending the forged packet to the core router so as to send the forged packet to a source end of the data packet through the core router, wherein the forged packet is used for interrupting network connection between the target terminal device and the external management center network; or,

the connection control equipment is connected in series with a communication path for communication between each terminal equipment in the network and an external management center network; the blocking unit blocking the network connection between the target terminal device and the external management center network includes: and intercepting and discarding a data packet when the target terminal equipment communicates with the external management center network.

The embodiment of the application also provides the electronic equipment. The electronic device includes: a processor and a machine-readable storage medium;

the machine-readable storage medium stores machine-executable instructions executable by the processor;

the processor is configured to execute machine-executable instructions to implement the steps of the above-disclosed method.

According to the technical scheme, the detection device detects the connection control information of the terminal devices in the same network, and blocks the network connection between the target terminal device to be subjected to network connection control and the external management center network according to the connection control information of the terminal devices, so that the connection control of the network connection between the terminal devices and the external management center network is realized, and the safety of the external management center network is improved.

Further, in this embodiment, the target terminal device to be subjected to network connection control, such as a privately-connected and counterfeit terminal device, may be determined by the detection device through a response packet fed back by the terminal device, and compared with the existing target terminal device (such as a privately-connected and counterfeit terminal device) analyzed through traffic, the scheme is simple to implement, and an abnormal terminal device (that is, the target terminal device, such as a privately-connected and counterfeit terminal device, etc.) is discovered in time, and traffic analysis is not required, and traffic transmission is not affected.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.

FIG. 1 is a flow chart of a method provided by an embodiment of the present application;

FIG. 2 is a schematic diagram of an application example provided by an embodiment of the present application;

fig. 3 is a schematic diagram of terminal device information provided in an embodiment of the present application;

fig. 4 is a schematic diagram illustrating a probe device sending terminal device connection control information to a connection control device according to an embodiment of the present application;

FIG. 5 is a flow chart of another method provided by an embodiment of the present application;

fig. 6 is a schematic diagram of a counterfeit packet transmission provided in an embodiment of the present application;

FIG. 7 is a schematic diagram of another embodiment of an application provided in the embodiments of the present application;

FIG. 8 is a block diagram of a system provided in an embodiment of the present application;

FIG. 9 is a block diagram of an apparatus according to an embodiment of the present disclosure;

FIG. 10 is a block diagram of another apparatus according to an embodiment of the present disclosure;

fig. 11 is a structural diagram of an electronic device according to an embodiment of the present application.

Detailed Description

Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.

In order to make the technical solutions provided in the embodiments of the present application better understood and make the above objects, features and advantages of the embodiments of the present application more comprehensible, the technical solutions in the embodiments of the present application are described in further detail below with reference to the accompanying drawings.

Referring to fig. 1, fig. 1 is a flowchart of a connection control method provided in an embodiment of the present application. The process is applied to the detection equipment. Here, the probe device is newly deployed to implement the connection control method provided in the present embodiment. Optionally, in this embodiment, the structure of the detection device may be various, for example, the detection device may be a probe, and this embodiment is not particularly limited.

In one example, each network may deploy a probe device, and the deployed probe device may perform the flow illustrated in FIG. 1 described below. In another example, different networks may share the same probing device, and on this premise, the probing device performs the following procedure shown in fig. 1 for the different networks (here, it may be default that the probing device and any network sharing the probing device belong to the same network). Optionally, the network is obtained by dividing the terminal device network according to actual service requirements. The Network may correspond to a Wireless Local Area Network (WLAN). For example, for a company, each subsidiary or each division may be considered a network. Fig. 2 shows a schematic diagram of a network by way of example. Fig. 2 shows, by way of example, that the network 1 and the network 2 respectively deploy detection devices.

As shown in fig. 1, the process may include the following steps:

step 101, a detection device sends a detection packet to terminal devices in the same network.

As an embodiment, in this step 101, the probe device may periodically or periodically send a probe packet to the terminal device in the same network. Here, the terminal device may be a NVR, a camera, an access control host, an alarm host, and the like, and this embodiment is not particularly limited.

In this embodiment, there are many implementation forms for the probe device to send the probe packet to the terminal device in the same network. As an embodiment, the sending, by the probe device, the probe packet to the terminal device in the same network may include: and sending the multicast detection packet to the terminal equipment in the same network. Here, all the terminal devices in the same network belong to the multicast group to which the multicast probe packet corresponds. In an example, the destination IP address of the multicast probe packet is an IP address of the multicast group (the IP address of the multicast group may be a preset IP address, for example, the IP address may be an IP address in a reserved multicast IP address field), and when the destination IP address of the multicast probe packet is the IP address of the multicast group, it indicates that the multicast probe packet corresponds to the multicast group.

As another embodiment, the sending, by the probe device, the probe packet to the terminal device in the same network may include: and respectively sending unicast detection packets to each terminal device in the same network. The destination IP address of the unicast detection packet is the IP address of the terminal equipment.

As another embodiment, the sending, by the probe device, the probe packet to the terminal device in the same network may include: and sending the broadcast detection packet to each terminal device in the same network.

Step 102, a detection device receives a response packet returned by a terminal device in the same network for the detection packet, wherein the response packet carries terminal device information.

As described in step 101, after the probe device sends the multicast probe packet to the terminal devices in the same network, any terminal device in the same network returns a response packet when receiving the multicast probe packet. Here. The terminal device may return the response packet in a unicast manner. Similarly, after the detection device sends a unicast detection packet to each terminal device in the same network, the terminal device receiving the unicast detection packet can unicast back a response packet; or, after the probe device sends the broadcast probe packet to each terminal device in the same network, any terminal device that receives the broadcast probe packet may also unicast back a response packet. That is, as described in step 102, the probe device will eventually receive a response packet returned by the terminal device in the same network for the probe packet.

As described in step 102, the response packet returned by the terminal device carries the terminal device information. Here, the terminal device information is used to characterize the terminal device, and may include parameters for describing the terminal device, such as: at least one of an IP address, a MAC address, a device type, a device brand, a device model, a device version number, etc. Fig. 3 illustrates one form of terminal device information (including IP address, MAC address, device type, device brand, device model, device version number).

And 103, the detection equipment determines corresponding terminal equipment connection control information according to the terminal equipment information carried by the response packet, and blocks the network connection between the target terminal equipment to be subjected to network connection control and the external management center network according to the terminal equipment connection control information.

In this embodiment, in step 103, the detection device determines the corresponding connection control information of the terminal device according to the terminal device information carried in the response packet, and there are many implementation forms when implementing the connection control information specifically, which will be described in the following by way of example, and will not be described herein again.

In this embodiment, the detection device blocks network connection between the target terminal device to be network connection controlled and the external management center network according to the terminal device connection control information. As one implementation manner, the blocking, by the detection device, the network connection between the target terminal device to be network connection controlled and the external management center network according to the terminal device connection control information may include: the detection equipment sends terminal equipment connection control information to deployed connection control equipment so as to trigger the connection control equipment to determine target terminal equipment to be subjected to network connection control according to the terminal equipment connection control information and block network connection between the target terminal equipment and an external management center network. Here, the connection control device is newly deployed to implement the connection control method provided in this embodiment, and may be deployed in a network where the probe device is located, or between the network and an external management center network, which will be described below by way of example. The detection device is in communication with the connection control device. In order to ensure that the connection control information of the terminal device sent by the detection device is not leaked, the detection device may encrypt the connection control information of the terminal device before sending the connection control information of the terminal device to the deployed connection control device, and then send the connection control information of the terminal device to the deployed connection control device. As for the specific encryption method, a mature encryption algorithm can be adopted, and is not limited herein. And when the connection control equipment receives the encrypted terminal equipment connection control information, decrypting the encrypted terminal equipment connection control information by adopting a decryption method corresponding to the encryption method to obtain the terminal equipment connection control information. Then, the target terminal device to be network connection controlled is determined according to the terminal device connection control information and the network connection between the target terminal device and the external management center network is blocked, which is specifically the flow shown in fig. 5 below and will not be described herein again.

As another implementation manner, the blocking, by the detection device, the network connection between the target terminal device to be network connection controlled and the external management center network according to the terminal device connection control information may include: the detection device actively determines a target terminal device to be subjected to network connection control according to the terminal device connection control information, and actively blocks network connection between the target terminal device to be subjected to network connection control and an external management center network. In another example, the probe device actively determines, according to the terminal device connection control information, a target terminal device to be subjected to network connection control in many implementation manners, which will be described below by way of example and will not be described herein again. Once the detection device actively determines the target terminal device to be subjected to network connection control according to the terminal device connection control information, when the detection device actively blocks the network connection between the target terminal device and the external management center network, the detection device can intercept and discard a data packet when the target terminal device communicates with the external management center network. In this embodiment, to ensure that the detection device intercepts the data packet when the target terminal device communicates with the external management center network, the detection device may be connected in series in the network and located on a communication path where each terminal device in the network communicates with the external management center network, so that the detection device can intercept and discard the data packet when any target terminal device in the network communicates with the external management center network, and the purpose of blocking the network connection between the target terminal device and the external management center network is achieved.

Thus, the flow shown in fig. 1 is completed.

As can be seen from the flow shown in fig. 1, in this embodiment, the detection device detects connection control information of terminal devices in the same network, and blocks network connection between a target terminal device to be network connection controlled and an external management center network according to the connection control information of the terminal devices, so that connection control of network connection between the terminal devices and the external management center network is achieved, and security of the external management center network is improved.

Taking an example that the probe device sends the connection control information of the terminal device to the deployed connection control device, the flow shown in fig. 1 is described by way of example in fig. 2:

referring to fig. 2, fig. 2 is a schematic diagram of an application embodiment provided in the embodiment of the present application. As shown in fig. 2, the terminal device network is divided into two networks, one of which is network 1 and the other of which is network 2. The network 1 and the network 2 are respectively provided with a detection device. The probe devices deployed in network 1 are denoted 21 and the probe devices deployed in network 2 are denoted 22.

In one example, the probe device 21 deployed in the network 1 and each terminal device in the network 1 are connected to a switch of the network 1. Similarly, the probe device 22 deployed in the network 2 and each terminal device in the network 2 are connected to the switch of the network 2. The terminal equipment in the network 1 or the network 2 can be NVR, a camera, an entrance guard host, an alarm host and the like.

Taking network 1 as an example, and network 2 is similar, then:

the probe device 21 sends a multicast probe packet to each end device in the network 1 when the probe period arrives. Each terminal device in the network 1 belongs to the same multicast group, and the multicast address of the multicast group is the destination address of the multicast data packet (that is, the multicast group corresponds to the multicast data packet). Based on this, when any of the terminal devices in the network 1 receives the multicast probe packet, a response packet is returned to the probe device 21. The response packet carries terminal device information corresponding to the terminal device that sent the response packet, such as the terminal device information shown in fig. 3.

When the detection device 21 receives a response packet sent by any terminal device in the detection period, it determines corresponding terminal device connection control information according to the terminal device information carried in the response packet, and when the detection period ends, sends each terminal device connection control information determined in the detection period to the deployed connection control device. Taking the example that the connection control device is deployed between the network 1 and the external management center network, fig. 4 illustrates a schematic diagram that the detection device 21 sends the terminal device connection control information to the connection control device.

Finally, it is achieved that the detection device 21 in the network 1 sends the detected connection control information of the terminal device in the same network to the connection control device. Similarly, the detection device 22 in the network 2 sends the detected connection control information of the terminal device in the same network to the connection control device. When the connection control device receives the connection control information of the terminal device, the connection control device determines a target terminal device to be subjected to network connection control according to the received connection control information of the terminal device and blocks network connection between the target terminal device and an external management center network. Specifically, refer to the flow shown in fig. 5, which is not described herein again.

So far, the description of the embodiment shown in fig. 2 is completed.

As an embodiment, in step 103 or in the description shown in fig. 2, the determining, by the probe device, the corresponding terminal device connection control information according to the terminal device information carried in the response packet may include step a:

step a: and the detection equipment determines the terminal equipment information carried by the received response packet as the corresponding terminal equipment connection control information.

In an example, after the probe device determines the connection control information of the terminal device according to step a, the probe device may send the connection control information of the terminal device to the deployed connection control device, so as to trigger the connection control device to determine a target terminal device to be network connection controlled according to the connection control information of the terminal device and block network connection between the target terminal device and the external management center network. As for the connection control device, determining the target terminal device to be network connection controlled according to the terminal device connection control information and blocking the network connection between the target terminal device and the external management center network, a process shown in fig. 5 may be specifically used, which is not repeated here.

In another example, after the detection device determines the terminal device connection control information according to step a, the detection device may determine a target terminal device to be subjected to network connection control according to the terminal device connection control information (i.e., the terminal device information carried in the response packet), and actively block the network connection between the target terminal device and the external management center network. Here, the step b of determining the target terminal device to be subjected to the network connection control according to the terminal device connection control information (i.e. the terminal device information carried by the response packet) may specifically be referred to below. For the specific description that the detection device actively blocks the network connection between the target terminal device and the external management center network, the description is omitted here.

As another embodiment, in step 103 or in the description shown in fig. 2, the determining, by the probe device, the corresponding terminal device connection control information according to the terminal device information carried in the response packet may include step b:

step b: and determining whether the terminal equipment corresponding to the terminal equipment information is the target terminal equipment to be subjected to network connection control or not according to the terminal equipment information carried by the received response packet, and determining indication information for indicating that the terminal equipment is the target terminal equipment to be subjected to network connection control as the corresponding terminal equipment connection control information when the terminal equipment corresponding to the terminal equipment information is the target terminal equipment to be subjected to network connection control.

As an embodiment, in step b, determining, according to the terminal device information carried in the received response packet, whether the terminal device corresponding to the terminal device information is a target terminal device to be subjected to network connection control may be determined according to a configured connection control policy.

Such as: the connection control policy requires that the terminal device information includes a parameter such as an IP address, or a MAC address, or a device version number, etc. It should be noted that, if the connection control policy requires that the terminal device information includes one parameter, it is also necessary to perform configuration in advance for each terminal device, so that each terminal device at least carries the parameter required by the connection control policy when returning the response packet. Under this premise, a target terminal device to be subjected to network connection control can be determined based on a connection control strategy, specifically: and when the terminal equipment information is not in the configured terminal equipment information white list, determining that the terminal equipment corresponding to the terminal equipment information is the target terminal equipment to be subjected to network connection control. Here, the connection control policy and the terminal device information white list are configured in advance according to actual requirements, and this embodiment is not particularly limited.

For another example: the connection control policy requires that the terminal device information includes more than two parameters, one of which is the IP address of the terminal device. It should be noted that, if the connection control policy requires that the terminal device information includes more than two parameters (one of which also includes an IP address), it is also necessary to configure each terminal device in advance, so that each terminal device at least carries the parameters required by the connection control policy when returning the response packet. Under the premise, there are many ways to determine the target terminal device to be network connection controlled based on the connection control policy.

As one implementation manner, the determining the target terminal device to be network connection controlled may include: when the terminal device information carried by the response packet differs from at least one parameter in the stored reference terminal device information (the previously received terminal device information including the IP address) (which will be described below by way of example), it is determined that the terminal device corresponding to the terminal device information is the target terminal device to be subjected to network connection control. Here, the reference terminal device information is previously received terminal device information including the IP address, and may be, for example, device information (including the IP address) of the terminal device submitted by the terminal device when registering to the probe device, or device information (including the IP address) of the terminal device sent by the probe device in the last probe period.

As another implementation manner, the determining a target terminal device to be network connection controlled may include: and when the terminal equipment information carried by the response packet is different from the stored reference terminal equipment information in at least one parameter and the IP address is not in the configured IP white list, determining the terminal equipment corresponding to the terminal equipment information as the target terminal equipment to be subjected to network connection control.

In the above description, there are many ways that the terminal device information carried by the response packet differs from the stored reference terminal device information described above by at least one parameter. For example, the connection control policy requires that the terminal device information includes two parameters, which are respectively: based on the IP address and the MAC address, when at least one parameter of the terminal device information carried in the response packet is different from the stored reference terminal device information, the parameter may be: the MAC address in the terminal device information carried by the response packet is different from the MAC address in the stored reference terminal device information. For another example, the connection control policy requires that the terminal device information includes three parameters, which are respectively: based on the IP address, the MAC address, and the device brand, the difference between the terminal device information carried in the response packet and the stored reference terminal device information may be at least one parameter selected from the group consisting of: the MAC address in the terminal device information carried by the response packet is different from the MAC address in the stored reference terminal device information, and/or the device brand in the terminal device information carried by the response packet is different from the device brand in the stored reference terminal device information. For another example, the connection control policy requires that the terminal device information includes four parameters, which are respectively: based on the IP address, the MAC address, the device brand, and the device model, at least one parameter of the terminal device information carried in the response packet and the stored reference terminal device information may be: the MAC address in the terminal device information carried by the response packet is different from the MAC address in the stored reference terminal device information, and/or the equipment brand in the terminal device information carried by the response packet is different from the equipment brand in the stored reference terminal device information, and/or the equipment model in the terminal device information carried by the response packet is different from the equipment model in the stored reference terminal device information. And so on, and there is no example.

As another implementation manner, the determining a target terminal device to be network connection controlled may include: and when the reference terminal device information is not stored currently or the reference terminal device information is not stored currently and the IP address is not in the configured IP white list, determining that the terminal device corresponding to the terminal device information is the terminal device to be subjected to network connection control. It should be noted that the IP white list in the above description can be preset according to actual requirements. For the terminal device with the IP address in the IP white list, the network connection with the external management center network does not need to be controlled.

In an example, after the detection device determines the connection control information of the terminal device according to step b, the detection device may send the connection control information of the terminal device to the deployed connection control device, so as to trigger the connection control device to determine, according to the connection control information of the terminal device, a target terminal device to be subjected to network connection control and block network connection between the target terminal device and the external management center network, which may be specifically shown in the flow illustrated in fig. 5 and will not be described herein again.

In another example, after the detection device determines the terminal device connection control information according to step b, the detection device may directly determine the terminal device corresponding to the terminal device connection control information as a target terminal device to be subjected to network connection control, and actively block the network connection between the target terminal device and the external management center network. The specific description above is for the detection device to actively block the network connection between the target terminal device and the external management center network, and details are not described here.

The connection control method provided by the present embodiment is described above in terms of a probe device, and the connection control method provided by the present embodiment is described below in terms of a connection control device:

referring to fig. 5, fig. 5 is a flowchart of another connection control method provided in the embodiment of the present application. The method is applied to the connection control device. In this embodiment, the connection control device is newly deployed in the network to implement the connection control method provided in this embodiment. In one example, the connection control device may be deployed in a network. One connection control device may be deployed per network. Each network-deployed connection control apparatus may perform the flow shown in fig. 5. In another example, the connection control device may be deployed between a network and an external management center network and may perform the flow illustrated in fig. 5.

As shown in fig. 5, the process may include the following steps:

step 501, a connection control device obtains, from deployed probe devices, terminal device connection control information corresponding to terminal devices in the same network as the probe devices.

As an embodiment, in the flow shown in fig. 1 or fig. 2, when the probe device receives a response packet (a probe packet for responding to the probe device sent) returned by the terminal device in the same network, the probe device determines the corresponding connection control information of the terminal device according to the terminal device information carried in the response packet, and sends the connection control information of the terminal device to the deployed connection control device. When the connection control device receives the connection control information of the terminal device sent by the probe device, it means that the connection control device obtains the connection control information of each terminal device in the same network as the probe device from the deployed probe device in step 501.

As another embodiment, even if in the flow shown in fig. 1 or fig. 2, the probe device does not send the terminal device connection control information to the deployed connection control device after determining the corresponding terminal device connection control information, at this time, the connection control device may actively obtain the terminal device connection control information corresponding to each terminal device in the same network as the probe device from the probe device, for example, the connection control device sends a request to the probe device to request the terminal device connection control information; and the detection equipment feeds back the connection control information of each terminal equipment in the same network to the connection control equipment when receiving the request. That is, it is realized that the connection control apparatus obtains the connection control information of each terminal apparatus in the same network as the probe apparatus from the deployed probe apparatus in step 501.

Step 502, determining a target terminal device to be network connection controlled according to the obtained connection control information of each terminal device.

As described in the step b above, the connection control information of the terminal device is indication information for indicating that the terminal device is a terminal device to be network connection controlled. Based on this, the determining, in step 502, a target terminal device to be subjected to network connection control according to the obtained connection control information of each terminal device may include: and determining the terminal equipment indicated by the indication information as the target terminal equipment.

As described in step a above, the connection control information of the terminal device is terminal device information. When the connection control information of the terminal device is the terminal device information, the target terminal device to be subjected to the network connection control is determined according to the obtained connection control information of each terminal device in step 502, and may be determined according to the configured connection control policy.

As an embodiment, if the connection control policy requires the terminal device information to include a parameter, such as an IP address, or a MAC address, or a device version number. It should be noted that, if the connection control policy requires that the terminal device information includes one parameter, it is also necessary to perform configuration in advance for each terminal device, so that each terminal device at least carries the parameter required by the connection control policy when returning the response packet. On this premise, the step 502 of determining the target terminal device to be network connection controlled according to the obtained connection control information of each terminal device includes: and when the terminal equipment information is not in the configured terminal equipment information white list, determining the terminal equipment corresponding to the terminal equipment information as the target terminal equipment.

As an embodiment, if the connection control policy requires the terminal device information to include more than two parameters, one of the parameters is the IP address of the terminal device. It should be noted that, if the connection control policy requires that the terminal device information includes more than two parameters (one of which also includes an IP address), it is also necessary to configure each terminal device in advance, so that each terminal device at least carries the parameters required by the connection control policy when returning the response packet. Under this premise, there are many implementation manners for determining the target terminal device to be network connection controlled according to the obtained connection control information of each terminal device in step 502.

As one implementation manner, the determining, in step 502, a target terminal device to be subjected to network connection control according to the obtained connection control information of each terminal device may include:

for each piece of terminal equipment information, when reference terminal equipment information corresponding to the terminal equipment information is not stored, or when the reference terminal equipment information is not stored and the IP in the terminal equipment information is not in a configured IP white list, determining the terminal equipment corresponding to the terminal equipment information as the target terminal equipment; the terminal device information is the same as the IP address in the reference terminal device information. Here, the reference terminal device information may be other terminal device information that is recently obtained and includes an IP address in the terminal device information; or terminal device information (including the IP address in the terminal device information) in the registration configuration, and the like.

As another implementation manner, the determining, in step 502, a target terminal device to be subjected to network connection control according to the obtained connection control information of each terminal device may include:

In one example, the terminal device information may be different from the reference terminal device information in at least one parameter in many ways. For example, if the connection control policy requires the terminal device information to include two parameters, the two parameters are respectively: the IP address and the MAC address, based on which, the terminal device information may differ from the stored reference terminal device information in at least one parameter: the MAC address in the carried terminal device information is different from the MAC address in the stored reference terminal device information. For another example, if the connection control policy requires the terminal device information to include three parameters, the three parameters are respectively: the IP address, the MAC address and the device brand, based on which the terminal device information differs from the stored reference terminal device information by at least one parameter: the MAC address in the terminal device information is different from the MAC address in the stored reference terminal device information, and/or the device brand in the terminal device information is different from the device brand in the stored reference terminal device information. For another example, if the connection control policy requires that the terminal device information includes four parameters, the four parameters are respectively: the IP address, the MAC address, the device brand and the device model, based on which at least one parameter of the terminal device information and the stored reference terminal device information is different may be: the MAC address in the terminal device information is different from the MAC address in the stored reference terminal device information, and/or the device brand in the terminal device information is different from the device brand in the stored reference terminal device information, and/or the device model in the terminal device information is different from the device model in the stored reference terminal device information. The rest cases are analogized in turn, and are not exemplified here.

So far, how to determine the target terminal device to be network connection controlled according to the obtained connection control information of each terminal device in the above step 502 is completed. It should be noted that, the above description is only an example of how to determine the target terminal device to be subjected to network connection control according to the obtained connection control information of each terminal device, and is not limited.

Once the target terminal device to be network connection controlled is determined in step 502, it indicates that the target terminal device is abnormal, for example, the target terminal device is a private connection counterfeit device. For this case, the following step 503 is performed.

Step 503, blocking the network connection between the target terminal device and the external management center network.

As an example, if the above-mentioned connection control device is hooked on a core router. Here, the core router is a router connected between the network and an external management center network, such as a router on a backbone network between the network and the external management center network. On this premise, the blocking of the network connection between the target terminal device and the external management center network in step 503 may include: and obtaining a data packet when the target terminal device communicates with the external management center network from the core router, generating a forged packet used for indicating that a target end of the data packet is inaccessible according to the data packet, and sending the forged packet to the core router so as to send the forged packet to a source end of the data packet through the core router, wherein the forged packet is used for interrupting network connection between the target terminal device and the external management center network. Here, the data packet when the target terminal device communicates with the external management center network may be: the target terminal equipment sends a data packet to an external management center network; and/or a data packet sent to the target terminal equipment by the external management center network. In one example, the packets may be protocol datagrams, such as TCP packets or UDP packets. Taking the TCP packet as an example, fig. 6 shows that the fake packet is a Connection Reset (RST) packet. According to the TCP protocol, the sequence number (sequence number) of the RST packet is the sum of the sequence number carried by the data packet and 1.

It should be noted that, the reason why the above-mentioned is to generate a forged packet indicating that the destination of the data packet is unreachable from the obtained data packet and send the forged packet to the core router to send the forged packet to the source of the data packet through the core router is that: the connection control device is hooked up to the core router, and the path is interworking between the core router and the source of the data packet, if the forged packet is not sent to the source end of the data packet through the core router, the core router may directly forward the data packet to the destination end of the data packet, and the purpose of interrupting the network connection between the target terminal device and the external management center network cannot be achieved, based on this, when the connection control device is hung at the core router, the core router will mirror the data packet when the target terminal device communicates with the external management center network to the connection control device, and generating a forged packet indicating that the destination of the data packet is inaccessible by the connection control equipment according to the obtained data packet and sending the forged packet to the core router so as to send the forged packet to the source end of the data packet through the core router.

As another embodiment, the connection control device is connected in series between the network and the external management center network, which is on a communication path where each terminal device in the network communicates with the external management center network. Based on this, the blocking the network connection between the target terminal device and the external management center network in step 503 above includes: and intercepting and discarding a data packet when the target terminal equipment communicates with the external management center network. Here, the data packet when the target terminal device communicates with the external management center network may be: the target terminal equipment sends a data packet to an external management center network; and/or a data packet sent to the target terminal equipment by the external management center network. In one example, the packets may be protocol datagrams, such as TCP packets or UDP packets. Because the connection control device is positioned on a communication path for communication between each terminal device in the network and the external management center network, when a data packet is received when the target terminal device communicates with the external management center network, the data packet is directly discarded, so that the data packet can not reach a destination all the time, and the purpose of blocking network connection between the target terminal device and the external management center network is realized.

The flow shown in fig. 5 is completed.

The flow shown in fig. 5 is described below with the embodiment shown in fig. 7:

referring to fig. 7, fig. 7 is a schematic application diagram of the embodiment provided in the present application. As shown in fig. 7, the connection control device is hooked up to the core router. If the terminal device 700_ a1 (IP address: 10.19.10.12) in the network 1 shown in fig. 7 is determined to be the target terminal device according to the

above steps

501 and 502. For example, when the MAC address of the terminal device 700_ a1 is changed from the MAC in the terminal device information including the IP address 10.19.10.12, the terminal device 700_ a1 may be determined as the target terminal device.

When the device 700_ a1 determines to be the target end device, the core router may monitor in real time the data packets, such as TCP data packets, sent by the end device 700_ a1 and the data packets, such as TCP data packets, sent by the external management center network to the end device 700_ a 1. Once the core router monitors the data packets, such as TCP packets, sent from the end device 700_ a1 or from the external management center network to the end device 700_ a1, it will mirror the monitored data packets, such as TCP packets, to the attached connection control device.

Taking the example that the core router monitors the data packet, such as the TCP data packet, sent from the terminal device 700_ a1, when the connection control device receives the data packet mirrored by the core router (the data packet, such as the TCP data packet, sent from the external management center network to the terminal device 700_ a 1), it will forge the RST packet according to the received data packet. The sequence number of the RST packet is the sum of the sequence number of the received packet and 1, and corresponds to a packet returned by the destination (external management center network) for instructing the packet on its surface. After that, the connection control apparatus transmits the RST packet to the core router, and the core router transmits the RST packet to the source end (terminal apparatus 700_ a 1) of the packet of the terminal apparatus 700_ a 1. When the terminal device 700_ a1 receives the RST packet, it is determined that the external management center network is not reachable, and the network connection between the terminal device 700_ a1 and the external management center network is equivalent to a break. Finally, the purpose of blocking the network connection between the target terminal equipment and the external management center network is achieved.

This completes the description of the embodiment shown in fig. 7.

The following describes a system provided in an embodiment of the present application:

referring to fig. 8, fig. 8 is a system structure description provided in the embodiments of the present application. As shown in fig. 8, the system may include: a detection device and a connection control device.

In one example, the probing apparatus is used to perform the steps performed by the method shown in FIG. 1;

the connection control device is arranged to perform the steps performed by the method shown in fig. 5.

Alternatively, as shown in fig. 9, an embodiment of the present application provides a connection control apparatus applied to the above-mentioned detection device. As shown in fig. 9, the apparatus may include:

for the terminal device information carried by each response packet,

Thus, the description of the structure of the device shown in fig. 9 is completed.

Referring to fig. 10, fig. 10 is a structural diagram of a connection control apparatus applied to a connection control device according to an embodiment of the present application. As shown in fig. 10, the apparatus may include:

Thus, the apparatus configuration diagram shown in fig. 10 is completed.

The embodiment of the application also provides a hardware structure of the device shown in fig. 9 or fig. 10. Referring to fig. 11, fig. 11 is a structural diagram of an electronic device according to an embodiment of the present application. As shown in fig. 11, the hardware structure may include: a processor and a machine-readable storage medium having stored thereon machine-executable instructions executable by the processor; the processor is configured to execute machine-executable instructions to implement the methods disclosed in the above examples of the present application.

Based on the same application concept as the method, embodiments of the present application further provide a machine-readable storage medium, where several computer instructions are stored, and when the computer instructions are executed by a processor, the method disclosed in the above example of the present application can be implemented.

The machine-readable storage medium may be, for example, any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and the like. For example, the machine-readable storage medium may be: a RAM (random Access Memory), a volatile Memory, a non-volatile Memory, a flash Memory, a storage drive (e.g., a hard drive), a solid state drive, any type of storage disk (e.g., an optical disk, a dvd, etc.), or similar storage medium, or a combination thereof.

The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.

For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the units may be implemented in one or more software and/or hardware when implementing the present application.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

Furthermore, these computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims

1. A connection control method applied to a probe apparatus, comprising:

sending a detection packet to terminal equipment in the same network;

2. The method of claim 1, wherein sending probe packets to terminal devices in the same network by any one of the following methods comprises:

3. The method of claim 1, wherein the blocking the network connection between the target terminal device to be network connection controlled and the external management center network according to the terminal device connection control information comprises:

4. The method of claim 1, wherein the determining the terminal device connection control information corresponding to the terminal device according to the terminal device information carried in the response packet comprises:

5. The method of claim 4,

the terminal device information includes a parameter; the determining whether the terminal device corresponding to the terminal device information is the target terminal device to be subjected to network connection control according to the terminal device information carried by the received response packet includes: for each received response packet, when the terminal device information carried by the response packet is not in the configured terminal device information white list, determining that the terminal device corresponding to the terminal device information carried by the response packet is a target terminal device to be subjected to network connection control; or,

for the terminal device information carried by each response packet,

6. The method according to claim 5, wherein the probe device is connected in series in the network and is located on a communication path where each terminal device in the network communicates with an external management center network; the blocking of the network connection between the target terminal device and the external management center network includes: and intercepting and discarding a data packet when the target terminal equipment communicates with the external management center network.

7. A connection control method applied to a connection control apparatus, comprising:

8. The method of claim 7,

the terminal device connection control information is indication information used for indicating that the terminal device is a target terminal device to be subjected to network connection control; the determining a target terminal device to be subjected to network connection control according to the obtained terminal device connection control information includes: determining the terminal equipment indicated by the indication information as the target terminal equipment; or,

9. The method of claim 7, wherein the connection control device is hooked up to a core router, the core router being a router connected between the network and an external management center network; the blocking of the network connection between the target terminal device and the external management center network includes: obtaining a data packet when the target terminal device communicates with the external management center network from the core router, generating a forged packet used for indicating that a target end of the data packet is inaccessible according to the data packet, and sending the forged packet to the core router so as to send the forged packet to a source end of the data packet through the core router, wherein the forged packet is used for interrupting network connection between the target terminal device and the external management center network; or,

10. A connection control system characterized in that it comprises a detection device and a connection control device;

the detection device is adapted to perform the steps performed in accordance with the method of any one of claims 1 to 6;

the connection control device is adapted to perform the steps performed by the method according to any of claims 7 to 9.

11. A connection control apparatus, characterized in that the apparatus is applied to a probe device, comprising:

12. A connection control apparatus, characterized in that the apparatus is applied to a connection control device, comprising:

13. An electronic device, comprising: a processor and a machine-readable storage medium;

the processor is configured to execute machine executable instructions to perform the method steps of any of claims 1-9.